1. Executive summary
The Iran-linked threat actor "Handala" claims to have compromised California Water Service (Cal Water), exfiltrating approximately 5GB of data including customer PII, billing records, and administrative credentials for the RTKBase GNSS platform. While no specific CVEs or CVSS scores are identified in this incident, the actor's known toolkit includes custom wipers (win.handala, Hamsa Wiper) and MBR-overwriting capabilities, indicating a high risk of escalation from data theft to destructive operations. Attribution to Handala is treated as unconfirmed per MITRE ATT&CK profiling standards, though the group is historically linked to Iran's Ministry of Intelligence and Security (MOIS). EMEA financial services clients should treat this as a precursor event, validating supply chain security and incident response readiness given the actor's stated intent to disrupt critical infrastructure.
2. Regulatory framing
| Article | Trigger (the fact in this item) | Practical impact |
|---|---|---|
| DORA Art. 17 | Potential intrusion into billing systems and exposure of administrative credentials. | Financial entities must ensure ICT-related incident management processes can detect and respond to credential compromise and lateral movement from third-party platforms. |
| DORA Art. 18 | Exfiltration of PII and billing data; claims of potential service disruption. | Entities must classify this type of data breach and potential service availability threat according to established criteria to determine reporting thresholds. |
| DORA Art. 19 | If similar attacks target financial entities causing major service disruption or data loss. | Major ICT-related incidents resulting from similar supply chain compromises must be reported to competent authorities within statutory timelines. |
| DORA Art. 24 | Actor's use of custom wipers and destructive capabilities. | Digital operational resilience testing must cover scenarios involving destructive malware and wiper attacks, not just data exfiltration. |
| DORA Art. 28 | Compromise of RTKBase (third-party platform) leading to billing system access. | General principles for ICT third-party risk management require assessing how third-party provider vulnerabilities impact the entity's own security. |
| NIS2 Art. 21(2)(d) | Lateral movement from a specialized platform (RTKBase) to core business systems (billing). | Supply chain security measures must address risks where third-party software serves as an initial access vector to critical internal networks. |
| NIS2 Art. 23 | Confirmed exfiltration of PII and credentials. | Incident reporting obligations are triggered if a similar incident affects essential entities under NIS2 scope. |
| UK NIS 2018 | Compromise of infrastructure supporting utility services (analogous to OES/RDSP duties). | Operators of Essential Services and Relevant Digital Service Providers must maintain capabilities to manage and report such intrusions. |
Note: No specific CISA KEV entries or CVSS scores are applicable to this item as no specific CVEs were identified in the source material.
3. Technical analysis & attack chain
Attribution Status: The actor "Handala" has no official MITRE ATT&CK profile; attribution is based on vendor reporting and is treated as unconfirmed.
Confirmed/Assessed Attack Chain
- Initial Access: The actor likely gained access via an internet-facing RTKBase instance (a GNSS base station platform). Dataminr assesses this as the probable initial access vector.
- Reconnaissance & Enumeration: The actor enumerated IP addresses associated with Cal Water's NTRIP (Networked Transport of RTCM via Internet Protocol) network across seven district mountpoints.
- Credential Harvesting: Administrative credentials for the RTKBase platform and a mountpoint-level NTRIP source password were exfiltrated.
- Lateral Movement: Using the compromised RTKBase environment as a pivot point, the actor moved laterally to access a customer billing database.
- Exfiltration: A bulk database export was performed, containing Personally Identifiable Information (PII) including names, addresses, phone numbers, account numbers, and payment histories. Total volume approx. 5GB.
- Impact: Data leakage confirmed; service disruption (water access) claimed but not executed.
Technical Specifics
- Targeted Component: RTKBase (GNSS base station software).
- Protocol: NTRIP (used for streaming GPS correction data).
- Operational Context: The compromised RTKBase instance had been operational for approximately 783 continuous hours at the time of access.
- Malware Capabilities (Historical/Associated): While not confirmed in this specific intrusion, Dataminr notes Handala's toolkit includes custom wipers (
win.handala,Handala Wiper,Hamsa Wiper) and Master Boot Record (MBR) overwriting capabilities. - Unconfirmed Claims: The group claimed the ability to disrupt water access but explicitly stated they chose not to. No OT/ICS disruption is confirmed in this incident.
4. Mitigation & containment
Priority 1 (Within 24h)
- Credential Rotation: Immediately rotate all administrative credentials for any RTKBase instances and associated NTRIP source passwords. Assume all exposed credentials are compromised.
- Network Segmentation Review: Audit network segmentation between specialized operational platforms (like RTKBase/GNSS) and core business systems (billing, HR, PII databases). Enforce strict firewall rules preventing direct lateral movement from OT/IoT zones to IT zones.
- Offline Audit: If RTKBase instances are not critical for real-time operations, consider taking them offline temporarily for forensic auditing.
Priority 2 (Within 72h)
- Log Analysis: Review access logs for RTKBase and billing systems for anomalous enumeration activities (e.g., bulk exports, unusual NTRIP mountpoint queries).
- Threat Hunting: Search endpoints for indicators associated with Handala's known wipers (
win.handala,Hamsa Wiper) and MBR overwriting tools, even if not confirmed in this specific case, due to the actor's modus operandi.
Priority 3 (Within 7 days)
- Third-Party Assessment: Conduct a preliminary assessment of ICT concentration risk (DORA Art. 29) for vendors providing niche operational platforms (like GNSS/RTKBase) that have connectivity to sensitive data environments.
- Contractual Review: Review key contractual provisions with ICT third-party providers (DORA Art. 30) to ensure they mandate immediate notification of breaches affecting shared infrastructure.
5. Indicators of compromise
No specific file hashes, IP addresses, or domains were provided in the source material for this specific incident. The following are contextual indicators based on the actor's claimed tools and targeted platforms.
| type | value | confidence | source |
|---|---|---|---|
| Malware Family | win.handala | Low (Historical) | SecurityWeek / Dataminr |
| Malware Family | Handala Wiper | Low (Historical) | SecurityWeek / Dataminr |
| Malware Family | Hamsa Wiper | Low (Historical) | SecurityWeek / Dataminr |
| Platform | RTKBase | High (Target) | SecurityWeek / Dataminr |
| Protocol | NTRIP | High (Target) | SecurityWeek / Dataminr |
<malware_family> win.handala
<malware_family> Handala Wiper
<malware_family> Hamsa Wiper
<platform> RTKBase
<protocol> NTRIP
6. Detection
Insufficient indicators to author detection rules. The source material provides names of malware families (win.handala, Hamsa Wiper) but does not provide distinctive strings, command-line flags, mutex names, file paths, registry keys, or code snippets required to construct a functional YARA or Sigma rule without fabrication. Analysts should monitor for the filenames if known from other intelligence sources, but no rule can be generated solely from the provided text.
7. Sources
- SecurityWeek, "Iranian Cyber Group Handala Claims Cal Water Hack", https://www.securityweek.com/iranian-cyber-group-handala-claims-cal-water-hack/, 2026-06-12.
- Dataminr (cited within SecurityWeek article), "Threat intelligence assessment on Handala/Cal Water incident", 2026-06-12.
8. Adverse Trace position
We assess this incident as a significant warning signal for sectors relying on specialized third-party operational platforms (such as GNSS/RTKBase) that may lack the same security maturity as core IT systems. Although no specific CVE with a CVSS score is identified here, the actor's proven capability to escalate from data exfiltration to destructive wiper attacks necessitates an elevated threat posture. We recommend EMEA financial clients immediately verify the segmentation of any non-standard operational software from their PII and billing databases. We will continue to monitor for confirmed attribution and the release of specific technical artifacts (hashes, C2 infrastructure) associated with this campaign.
Published via PulseTrace — Adverse Trace threat intelligence.